Hacking Connected Home Alarm Systems – The Expensive [part 2]

TL;DR: We were wondering whether price affects the security of IoT appliances. So we verified the security of two differently priced connected home alarm systems. Both IoT alarms are marketed as an easy solution to protect your home. Unfortunately we find this not to be the case as we identified multiple critical vulnerabilities in both systems.

This blog post discusses some critical vulnerabilities which could allow attackers to disable both alarm systems remotely. Given the security critical nature of the appliances we decided not to mention exploitation details or specific devices and to focus on the bigger picture; What security vulnerabilities were identified and can they be fixed?

Analyzing the expensive device

In a previous blog post we discussed the security of a cheap alarm system acquired from an overseas web shop. The three discussed vulnerabilities allowed an attacker to gain access to your home without triggering the alarm. This was accomplished by either attacking the wireless communication channel used by the sensors and the alarm hub or by exploiting a security vulnerability that allows an attacker to disable it remotely.

In this blog post we’ll show three realistic attack scenarios that target the expensive device.

Attack 1 – Replaying of sensor communication

As was the case with the cheap alarm system, the expensive alarm system is vulnerable to jamming attacks. In addition to being vulnerable to jamming attacks, the sensor communication of both devices is also vulnerable to replay attacks.

Every time a sensor is triggered or every time the remote is used to arm or disarm the alarm system, a message is send over a wireless communication channel. If the communication protocol is vulnerable to replay attacks, all an attacker has to do is record the disarm message once and then replay it later to disarm the victim’s alarm system.

The below video show how we first arm the expensive alarm system and then disarm it by replaying a previously captured disarm message. This is made very easy by using an off-the-shelf software defined radio (Hack-RF in this case). The attacker is not required to figure out how the message is created, he/she simply has to record it.

Attack 2 – Remote alarm takeover

The expensive alarm system can be controlled via a mobile application. In order to control the alarm system via the mobile application, the alarm system and the mobile application first have to be linked together. This linking process is vulnerable as an attacker can link any alarm system to his/her mobile application. All that he/she needs is the device identifier of the expensive alarm system. The below video show how we tricked the mobile application into pairing with somebody else’s appliance.

As was the case with the cheap alarm system, the likelihood of this attack being exploited by an attacker depends mainly on how difficult it is for an attacker to guess the identifier of the victim’s alarm system. We only bought one alarm system, so we can’t tell for sure, but we expect the identifiers to be incremental and thus easily guessable.

Attack 3 – Insecure storage of sensitive information

The flash memory of the expensive device being removed. It’s easier than it looks!

After reading these horror stories concerning the security of IoT devices, you might decide that you don’t want any of these in your house anymore. We won’t blame you if you wan’t to throw them all out, its your device after all, but please be careful throwing out appliances as they might contain sensitive information!

For example, these alarm systems contain the password to your home WiFi network, and its stored in plain text! All an attacker has to do to gain access to your home network is dumpster dive in your trash to grab the device, open it up, remove the flash memory and dump the passwords.

What can be done

The good news is that all of the above vulnerabilities can be fixed. There are protocols that prevent attackers to replay messages, there are ways to pair devices securely and there are ways to encrypt sensitive information at rest.

The bad news is that while the cheap alarm system can receive firmware updates, the expensive device can’t. In case the vendors of the expensive device would like to fix these vulnerabilities they would have to recall devices, and this is most probably not going to happen.

So what can be done? Only one thing, the vendor has to learn from these mistakes and make sure that these mistakes are not made in future products.

Responsible disclosure

Unlike the vendors of the cheap alarm system, we were able to contact the vendors of the expensive device. However, disclosure did not go smooth as there was no one responsible within the vendor’s organisation to tackle security related issues.

Eventually we were put in contact with the development team in China. Unfortunately, they were not interested in our findings as they recently released a new alarm system which supposedly fixed all of our findings. The sad thing is, they never asked for our details on the findings.

Timeline of events:

August 2017 – First efforts in contacting the vendor via email, no response.

Early March 2018 – Time went by. Eventually we decided to try a second time. This time with success, we initiated contact with the European vendor.

End of March 2018 – After many emails, the European vendor notified us that they are not interested in our findings as they recently released a new alarm system.

Does price affect the security of IoT devices?

Finding an answer on whether price affects the security of IoT appliances can’t really be answered by comparing two appliances. However, what we can say is that we found numerous critical vulnerabilities on both devices that will probably never be fixed.

The cheap alarm system can be updated, but we were unable to contact the device vendors. The expensive alarm system can’t be updated and the device vendor never requested an overview of the issues we identified.

Going forward, we plan to take apart more devices (we already got our hands on an industry-grade alarm system!). We will make sure to keep sharing our findings!

Stay safe! And don’t forget to arm your alarm tonight! 🐀😀

About the author

Cédric Bassem is an IT Security Consultant at NVISO where he focuses on securing Internet of Things (IoT) devices. In a nutshell this translates into assisting companies in helping them make sure that their next state of the art devices are secure by assisting them in every step of the software development life cycle.